S T A T U T O R Y I N S T R U M E N T S

2003 No. 2426

ELECTRONIC COMMUNICATIONS
The Privacy and Electronic Communications (EC Directive)
Regulations 2003
Made - - - - 18th September 2003
Laid before Parliament 18th September 2003
Coming into force - - 11th December 2003
The Secretary of State, being a Minister designated(a) for the purposes of section 2(2) of the
European Communities Act 1972(b) in respect of matters relating to electronic communications,
in exercise of the powers conferred upon her by that section, hereby makes the following
Regulations:
Citation and commencement
1.These Regulations may be cited as the Privacy and Electronic Communications (EC Directive)
Regulations 2003 and shall come into force on 11th December 2003.
Interpretation
2.(1) In these Regulations
bill includes an invoice, account, statement or other document of similar character and
billing shall be construed accordingly;
call means a connection established by means of a telephone service available to the public
allowing two-way communication in real time;
communication means any information exchanged or conveyed between a finite number of
parties by means of a public electronic communications service, but does not include
information conveyed as part of a programme service, except to the extent that such
information can be related to the identifiable subscriber or user receiving the information;
communications provider has the meaning given by section 405 of the Communications Act
2003(c);
corporate subscriber means a subscriber who is
(a) a company within the meaning of section 735(1) of the Companies Act 1985(d);
(b) a company incorporated in pursuance of a royal charter or letters patent;
(c) a partnership in Scotland;
(d) a corporation sole; or
(a) S.I. 2001/3495.
(b) 1972 c. 68.
(c) 2003 c. 21; for the commencement of section 405, see section 411(2) and (3) of the same Act.
(d) 1985 c. 6.
2
(e) any other body corporate or entity which is a legal person distinct from its members;
the Directive means Directive 2002/58/EC of the European Parliament and of the Council of
12 July 2002 concerning the processing of personal data and the protection of privacy in the
electronic communications sector (Directive on privacy and electronic communications)(a);
electronic communications network has the meaning given by section 32 of the
Communications Act 2003(b);
electronic communications service has the meaning given by section 32 of the
Communications Act 2003;
electronic mail means any text, voice, sound or image message sent over a public electronic
communications network which can be stored in the network or in the recipients terminal
equipment until it is collected by the recipient and includes messages sent using a short
message service;
enactment includes an enactment comprised in, or in an instrument made under, an Act of
the Scottish Parliament;
individual means a living individual and includes an unincorporated body of such
individuals;
the Information Commissioner and the Commissioner both mean the Commissioner
appointed under section 6 of the Data Protection Act 1998(c);
information society service has the meaning given in regulation 2(1) of the Electronic
Commerce (EC Directive) Regulations 2002(d);
location data means any data processed in an electronic communications network indicating
the geographical position of the terminal equipment of a user of a public electronic
communications service, including data relating to
(f) the latitude, longitude or altitude of the terminal equipment;
(g) the direction of travel of the user; or
(h) the time the location information was recorded;
OFCOM means the Office of Communications as established by section 1 of the Office of
Communications Act 2002(e);
programme service has the meaning given in section 201 of the Broadcasting Act 1990(f);
public communications provider means a provider of a public electronic communications
network or a public electronic communications service;
public electronic communications network has the meaning given in section 151 of the
Communications Act 2003(g);
public electronic communications service has the meaning given in section 151 of the
Communications Act 2003;
subscriber means a person who is a party to a contract with a provider of public electronic
communications services for the supply of such services;
traffic data means any data processed for the purpose of the conveyance of a communication
on an electronic communications network or for the billing in respect of that communication
and includes data relating to the routing, duration or time of a communication;
user means any individual using a public electronic communications service; and
(a) OJ No L 201, 31.07.02, p. 37.
(b) For the commencement of section 32, see article 2(1) of S.I. 2003/1900 (C. 77).
(c) 1998 c. 29; section 6 was amended by section 18(4) of and paragraph 13(1) and (2) of Part 1 of Schedule 2 to the Freedom of
Information Act 2000 (c. 36).
(d) S.I. 2002/2013.
(e) 2002 c. 11.
(f) 1990 c. 42; section 201 was amended by section 148(1) of and paragraph 11 of Schedule 10 to the Broadcasting Act 1996 (c.
55).
(g) For the commencement of section 151, see article 2(1) of S.I. 2003/1900 (C. 77).
3
value added service means any service which requires the processing of traffic data or
location data beyond that which is necessary for the transmission of a communication or the
billing in respect of that communication.
(2) Expressions used in these Regulations that are not defined in paragraph (1) and are defined
in the Data Protection Act 1998 shall have the same meaning as in that Act.
(3) Expressions used in these Regulations that are not defined in paragraph (1) or the Data
Protection Act 1998 and are defined in the Directive shall have the same meaning as in the
Directive.
(4) Any reference in these Regulations to a line shall, without prejudice to paragraph (3), be
construed as including a reference to anything that performs the function of a line, and
connected, in relation to a line, is to be construed accordingly.
Revocation of the Telecommunications (Data Protection and Privacy) Regulations 1999
3.The Telecommunications (Data Protection and Privacy) Regulations 1999(a) and the
Telecommunications (Data Protection and Privacy) (Amendment) Regulations 2000(b) are hereby
revoked.
Relationship between these Regulations and the Data Protection Act 1998
4.Nothing in these Regulations shall relieve a person of his obligations under the Data
Protection Act 1998 in relation to the processing of personal data.
Security of public electronic communications services
5.(1) Subject to paragraph (2), a provider of a public electronic communications service (the
service provider) shall take appropriate technical and organisational measures to safeguard the
security of that service.
(2) If necessary, the measures required by paragraph (1) may be taken by the service provider in
conjunction with the provider of the electronic communications network by means of which the
service is provided, and that network provider shall comply with any reasonable requests made by
the service provider for these purposes.
(3) Where, notwithstanding the taking of measures as required by paragraph (1), there remains a
significant risk to the security of the public electronic communications service, the service
provider shall inform the subscribers concerned of
(a) the nature of that risk;
(b) any appropriate measures that the subscriber may take to safeguard against that risk; and
(c) the likely costs to the subscriber involved in the taking of such measures.
(4) For the purposes of paragraph (1), a measure shall only be taken to be appropriate if, having
regard to
(a) the state of technological developments, and
(b) the cost of implementing it,
it is proportionate to the risks against which it would safeguard.
(5) Information provided for the purposes of paragraph (3) shall be provided to the subscriber
free of any charge other than the cost to the subscriber of receiving or collecting the information.
(a) S.I. 1999/2093.
(b) S.I. 2000/157.
4
Confidentiality of communications
6.(1) Subject to paragraph (4), a person shall not use an electronic communications network
to store information, or to gain access to information stored, in the terminal equipment of a
subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment
(a) is provided with clear and comprehensive information about the purposes of the storage
of, or access to, that information; and
(b) is given the opportunity to refuse the storage of or access to that information.
(3) Where an electronic communications network is used by the same person to store or access
information in the terminal equipment of a subscriber or user on more than one occasion, it is
sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in
respect of the initial use.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information
(a) for the sole purpose of carrying out or facilitating the transmission of a communication
over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information
society service requested by the subscriber or user.
Restrictions on the processing of certain traffic data
7.(1) Subject to paragraphs (2) and (3), traffic data relating to subscribers or users which are
processed and stored by a public communications provider shall, when no longer required for the
purpose of the transmission of a communication, be
(a) erased;
(b) in the case of an individual, modified so that they cease to constitute personal data of that
subscriber or user; or
(c) in the case of a corporate subscriber, modified so that they cease to be data that would be
personal data if that subscriber was an individual.
(2) Traffic data held by a public communications provider for purposes connected with the
payment of charges by a subscriber or in respect of interconnection payments may be processed
and stored by that provider until the time specified in paragraph (5).
(3) Traffic data relating to a subscriber or user may be processed and stored by a provider of a
public electronic communications service if
(a) such processing and storage are for the purpose of marketing electronic communications
services, or for the provision of value added services to that subscriber or user; and
(b) the subscriber or user to whom the traffic data relate has given his consent to such
processing or storage; and
(c) such processing and storage are undertaken only for the duration necessary for the
purposes specified in subparagraph (a).
(4) Where a user or subscriber has given his consent in accordance with paragraph (3), he shall
be able to withdraw it at any time.
(5) The time referred to in paragraph (2) is the end of the period during which legal proceedings
may be brought in respect of payments due or alleged to be due or, where such proceedings are
brought within that period, the time when those proceedings are finally determined.
(6) Legal proceedings shall not be taken to be finally determined
(a) until the conclusion of the ordinary period during which an appeal may be brought by
either party (excluding any possibility of an extension of that period, whether by order of
a court or otherwise), if no appeal is brought within that period; or
(b) if an appeal is brought, until the conclusion of that appeal.
5
(7) References in paragraph (6) to an appeal include references to an application for permission
to appeal.
Further provisions relating to the processing of traffic data under regulation 7
8.(1) Processing of traffic data in accordance with regulation 7(2) or (3) shall not be
undertaken by a public communications provider unless the subscriber or user to whom the data
relate has been provided with information regarding the types of traffic data which are to be
processed and the duration of such processing and, in the case of processing in accordance with
regulation 7(3), he has been provided with that information before his consent has been obtained.
(2) Processing of traffic data in accordance with regulation 7 shall be restricted to what is
required for the purposes of one or more of the activities listed in paragraph (3) and shall be
carried out only by the public communications provider or by a person acting under his authority.
(3) The activities referred to in paragraph (2) are activities relating to
(a) the management of billing or traffic;
(b) customer enquiries;
(c) the prevention or detection of fraud;
(d) the marketing of electronic communications services; or
(e) the provision of a value added service.
(4) Nothing in these Regulations shall prevent the furnishing of traffic data to a person who is a
competent authority for the purposes of any provision relating to the settling of disputes (by way
of legal proceedings or otherwise) which is contained in, or made by virtue of, any enactment.
Itemised billing and privacy
9.(1) At the request of a subscriber, a provider of a public electronic communications service
shall provide that subscriber with bills that are not itemised.
(2) OFCOM shall have a duty, when exercising their functions under Chapter 1 of Part 2 of the
Communications Act 2003, to have regard to the need to reconcile the rights of subscribers
receiving itemised bills with the rights to privacy of calling users and called subscribers, including
the need for sufficient alternative privacy-enhancing methods of communications or payments to
be available to such users and subscribers.
Prevention of calling line identification outgoing calls
10.(1) This regulation applies, subject to regulations 15 and 16, to outgoing calls where a
facility enabling the presentation of calling line identification is available.
(2) The provider of a public electronic communications service shall provide users originating a
call by means of that service with a simple means to prevent presentation of the identity of the
calling line on the connected line as respects that call.
(3) The provider of a public electronic communications service shall provide subscribers to the
service, as respects their line and all calls originating from that line, with a simple means of
preventing presentation of the identity of that subscribers line on any connected line.
(4) The measures to be provided under paragraphs (2) and (3) shall be provided free of charge.
Prevention of calling or connected line identification incoming calls
11.(1) This regulation applies to incoming calls.
(2) Where a facility enabling the presentation of calling line identification is available, the
provider of a public electronic communications service shall provide the called subscriber with a
simple means to prevent, free of charge for reasonable use of the facility, presentation of the
identity of the calling line on the connected line.
6
(3) Where a facility enabling the presentation of calling line identification prior to the call being
established is available, the provider of a public electronic communications service shall provide
the called subscriber with a simple means of rejecting incoming calls where the presentation of the
calling line identification has been prevented by the calling user or subscriber.
(4) Where a facility enabling the presentation of connected line identification is available, the
provider of a public electronic communications service shall provide the called subscriber with a
simple means to prevent, without charge, presentation of the identity of the connected line on any
calling line.
(5) In this regulation called subscriber means the subscriber receiving a call by means of the
service in question whose line is the called line (whether or not it is also the connected line).
Publication of information for the purposes of regulations 10 and 11
12.Where a provider of a public electronic communications service provides facilities for calling
or connected line identification, he shall provide information to the public regarding the
availability of such facilities, including information regarding the options to be made available for
the purposes of regulations 10 and 11.
Co-operation of communications providers for the purposes of regulations 10 and 11
13.For the purposes of regulations 10 and 11, a communications provider shall comply with any
reasonable requests made by the provider of the public electronic communications service by
means of which facilities for calling or connected line identification are provided.
Restrictions on the processing of location data
14.(1) This regulation shall not apply to the processing of traffic data.
(2) Location data relating to a user or subscriber of a public electronic communications network
or a public electronic communications service may only be processed
(a) where that user or subscriber cannot be identified from such data; or
(b) where necessary for the provision of a value added service, with the consent of that user
or subscriber.
(3) Prior to obtaining the consent of the user or subscriber under paragraph (2)(b), the public
communications provider in question must provide the following information to the user or
subscriber to whom the data relate
(a) the types of location data that will be processed;
(b) the purposes and duration of the processing of those data; and
(c) whether the data will be transmitted to a third party for the purpose of providing the value
added service.
(4) A user or subscriber who has given his consent to the processing of data under paragraph
(2)(b) shall
(a) be able to withdraw such consent at any time, and
(b) in respect of each connection to the public electronic communications network in
question or each transmission of a communication, be given the opportunity to withdraw
such consent, using a simple means and free of charge.
(5) Processing of location data in accordance with this regulation shall
(a) only be carried out by
(i) the public communications provider in question;
(ii) the third party providing the value added service in question; or
(iii) a person acting under the authority of a person falling within (i) or (ii); and
7
(b) where the processing is carried out for the purposes of the provision of a value added
service, be restricted to what is necessary for those purposes.
Tracing of malicious or nuisance calls
15.(1) A communications provider may override anything done to prevent the presentation of
the identity of a calling line where
(a) a subscriber has requested the tracing of malicious or nuisance calls received on his line;
and
(b) the provider is satisfied that such action is necessary and expedient for the purposes of
tracing such calls.
(2) Any term of a contract for the provision of public electronic communications services which
relates to such prevention shall have effect subject to the provisions of paragraph (1).
(3) Nothing in these Regulations shall prevent a communications provider, for the purposes of
any action relating to the tracing of malicious or nuisance calls, from storing and making available
to a person with a legitimate interest data containing the identity of a calling subscriber which
were obtained while paragraph (1) applied.
Emergency calls
16.(1) For the purposes of this regulation, emergency calls means calls to either the national
emergency call number 999 or the single European emergency call number 112.
(2) In order to facilitate responses to emergency calls
(a) all such calls shall be excluded from the requirements of regulation 10;
(b) no person shall be entitled to prevent the presentation on the connected line of the identity
of the calling line; and
(c) the restriction on the processing of location data under regulation 14(2) shall be
disregarded.
Termination of automatic call forwarding
17.(1) Where
(a) calls originally directed to another line are being automatically forwarded to a
subscribers line as a result of action taken by a third party, and
(b) the subscriber requests his provider of electronic communications services (the
subscribers provider) to stop the forwarding of those calls,
the subscribers provider shall ensure, free of charge, that the forwarding is stopped without any
avoidable delay.
(2) For the purposes of paragraph (1), every other communications provider shall comply with
any reasonable requests made by the subscribers provider to assist in the prevention of that
forwarding.
Directories of subscribers
18.(1) This regulation applies in relation to a directory of subscribers, whether in printed or
electronic form, which is made available to members of the public or a section of the public,
including by means of a directory enquiry service.
(2) The personal data of an individual subscriber shall not be included in a directory unless that
subscriber has, free of charge, been
(a) informed by the collector of the personal data of the purposes of the directory in which
his personal data are to be included, and
8
(b) given the opportunity to determine whether such of his personal data as are considered
relevant by the producer of the directory should be included in the directory.
(3) Where personal data of an individual subscriber are to be included in a directory with
facilities which enable users of that directory to obtain access to that data solely on the basis of a
telephone number
(a) the information to be provided under paragraph (2)(a) shall include information about
those facilities; and
(b) for the purposes of paragraph (2)(b), the express consent of the subscriber to the inclusion
of his data in a directory with such facilities must be obtained.
(4) Data relating to a corporate subscriber shall not be included in a directory where that
subscriber has advised the producer of the directory that it does not want its data to be included in
that directory.
(5) Where the data of an individual subscriber have been included in a directory, that subscriber
shall, without charge, be able to verify, correct or withdraw those data at any time.
(6) Where a request has been made under paragraph (5) for data to be withdrawn from or
corrected in a directory, that request shall be treated as having no application in relation to an
edition of a directory that was produced before the producer of the directory received the request.
(7) For the purposes of paragraph (6), an edition of a directory which is revised after it was first
produced shall be treated as a new edition.
(8) In this regulation, telephone number has the same meaning as in section 56(5) of the
Communications Act 2003(a) but does not include any number which is used as an internet
domain name, an internet address or an address or identifier incorporating either an internet
domain name or an internet address, including an electronic mail address.
Use of automated calling systems
19.(1) A person shall neither transmit, nor instigate the transmission of, communications
comprising recorded matter for direct marketing purposes by means of an automated calling
system except in the circumstances referred to in paragraph (2).
(2) Those circumstances are where the called line is that of a subscriber who has previously
notified the caller that for the time being he consents to such communications being sent by, or at
the instigation of, the caller on that line.
(3) A subscriber shall not permit his line to be used in contravention of paragraph (1).
(4) For the purposes of this regulation, an automated calling system is a system which is capable
of
(a) automatically initiating a sequence of calls to more than one destination in accordance
with instructions stored in that system; and
(b) transmitting sounds which are not live speech for reception by persons at some or all of
the destinations so called.
Use of facsimile machines for direct marketing purposes
20.(1) A person shall neither transmit, nor instigate the transmission of, unsolicited
communications for direct marketing purposes by means of a facsimile machine where the called
line is that of
(a) an individual subscriber, except in the circumstances referred to in paragraph (2);
(b) a corporate subscriber who has previously notified the caller that such communications
should not be sent on that line; or
(a) 2003 c. 21; for the commencement of section 56(5), see article 2(1) of S.I. 2003/1900 (C. 77).
9
(c) a subscriber and the number allocated to that line is listed in the register kept under
regulation 25.
(2) The circumstances referred to in paragraph (1)(a) are that the individual subscriber has
previously notified the caller that he consents for the time being to such communications being
sent by, or at the instigation of, the caller.
(3) A subscriber shall not permit his line to be used in contravention of paragraph (1).
(4) A person shall not be held to have contravened paragraph (1)(c) where the number allocated
to the called line has been listed on the register for less than 28 days preceding that on which the
communication is made.
(5) Where a subscriber who has caused a number allocated to a line of his to be listed in the
register kept under regulation 25 has notified a caller that he does not, for the time being, object to
such communications being sent on that line by that caller, such communications may be sent by
that caller on that line, notwithstanding that the number allocated to that line is listed in the said
register.
(6) Where a subscriber has given a caller notification pursuant to paragraph (5) in relation to a
line of his
(a) the subscriber shall be free to withdraw that notification at any time, and
(b) where such notification is withdrawn, the caller shall not send such communications on
that line.
(7) The provisions of this regulation are without prejudice to the provisions of regulation 19.
Unsolicited calls for direct marketing purposes
21.(1) A person shall neither use, nor instigate the use of, a public electronic communications
service for the purposes of making unsolicited calls for direct marketing purposes where
(a) the called line is that of a subscriber who has previously notified the caller that such calls
should not for the time being be made on that line; or
(b) the number allocated to a subscriber in respect of the called line is one listed in the
register kept under regulation 26.
(2) A subscriber shall not permit his line to be used in contravention of paragraph (1).
(3) A person shall not be held to have contravened paragraph (1)(b) where the number allocated
to the called line has been listed on the register for less than 28 days preceding that on which the
call is made.
(4) Where a subscriber who has caused a number allocated to a line of his to be listed in the
register kept under regulation 26 has notified a caller that he does not, for the time being, object to
such calls being made on that line by that caller, such calls may be made by that caller on that line,
notwithstanding that the number allocated to that line is listed in the said register.
(5) Where a subscriber has given a caller notification pursuant to paragraph (4) in relation to a
line of his
(a) the subscriber shall be free to withdraw that notification at any time, and
(b) where such notification is withdrawn, the caller shall not make such calls on that line.
Use of electronic mail for direct marketing purposes
22.(1) This regulation applies to the transmission of unsolicited communications by means of
electronic mail to individual subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor
instigate the transmission of, unsolicited communications for the purposes of direct marketing by
means of electronic mail unless the recipient of the electronic mail has previously notified the
sender that he consents for the time being to such communications being sent by, or at the
instigation of, the sender.
10
(3) A person may send or instigate the sending of electronic mail for the purposes of direct
marketing where
(a) that person has obtained the contact details of the recipient of that electronic mail in the
course of the sale or negotiations for the sale of a product or service to that recipient;
(b) the direct marketing is in respect of that persons similar products and services only; and
(c) the recipient has been given a simple means of refusing (free of charge except for the
costs of the transmission of the refusal) the use of his contact details for the purposes of
such direct marketing, at the time that the details were initially collected, and, where he
did not initially refuse the use of the details, at the time of each subsequent
communication.
(4) A subscriber shall not permit his line to be used in contravention of paragraph (2).
Use of electronic mail for direct marketing purposes where the identity or address of the
sender is concealed
23.A person shall neither transmit, nor instigate the transmission of, a communication for the
purposes of direct marketing by means of electronic mail
(a) where the identity of the person on whose behalf the communication has been sent has
been disguised or concealed; or
(b) where a valid address to which the recipient of the communication may send a request
that such communications cease has not been provided.
Information to be provided for the purposes of regulations 19, 20 and 21
24.(1) Where a public electronic communications service is used for the transmission of a
communication for direct marketing purposes the person using, or instigating the use of, the
service shall ensure that the following information is provided with that communication
(a) in relation to a communication to which regulations 19 (automated calling systems) and
20 (facsimile machines) apply, the particulars mentioned in paragraph (2)(a) and (b);
(b) in relation to a communication to which regulation 21 (telephone calls) applies, the
particulars mentioned in paragraph (2)(a) and, if the recipient of the call so requests, those
mentioned in paragraph (2)(b).
(2) The particulars referred to in paragraph (1) are
(a) the name of the person;
(b) either the address of the person or a telephone number on which he can be reached free of
charge.
Register to be kept for the purposes of regulation 20
25.(1) For the purposes of regulation 20 OFCOM shall maintain and keep up-to-date, in
printed or electronic form, a register of the numbers allocated to subscribers, in respect of
particular lines, who have notified them (notwithstanding, in the case of individual subscribers,
that they enjoy the benefit of regulation 20(1)(a) and (2)) that they do not for the time being wish
to receive unsolicited communications for direct marketing purposes by means of facsimile
machine on the lines in question.
(2) OFCOM shall remove a number from the register maintained under paragraph (1) where
they have reason to believe that it has ceased to be allocated to the subscriber by whom they were
notified pursuant to paragraph (1).
(3) On the request of
(a) a person wishing to send, or instigate the sending of, such communications as are
mentioned in paragraph (1), or
(b) a subscriber wishing to permit the use of his line for the sending of such communications,
11
for information derived from the register kept under paragraph (1), OFCOM shall, unless it is not
reasonably practicable so to do, on the payment to them of such fee as is, subject to paragraph (4),
required by them, make the information requested available to that person or that subscriber.
(4) For the purposes of paragraph (3) OFCOM may require different fees
(a) for making available information derived from the register in different forms or manners,
or
(b) for making available information derived from the whole or from different parts of the
register,
but the fees required by them shall be ones in relation to which the Secretary of State has notified
OFCOM that he is satisfied that they are designed to secure, as nearly as may be and taking one
year with another, that the aggregate fees received, or reasonably expected to be received, equal
the costs incurred, or reasonably expected to be incurred, by OFCOM in discharging their duties
under paragraphs (1), (2) and (3).
(5) The functions of OFCOM under paragraphs (1), (2) and (3), other than the function of
determining the fees to be required for the purposes of paragraph (3), may be discharged on their
behalf by some other person in pursuance of arrangements made by OFCOM with that other
person.
Register to be kept for the purposes of regulation 21
26.(1) For the purposes of regulation 21 OFCOM shall maintain and keep up-to-date, in
printed or electronic form, a register of the numbers allocated to individual subscribers, in respect
of particular lines, who have notified them that they do not for the time being wish to receive
unsolicited calls for direct marketing purposes on the lines in question.
(2) OFCOM shall remove a number from the register maintained under paragraph (1) where
they have reason to believe that it has ceased to be allocated to the subscriber by whom they were
notified pursuant to paragraph (1).
(3) On the request of
(a) a person wishing to make, or instigate the making of, such calls as are mentioned in
paragraph (1), or
(b) a subscriber wishing to permit the use of his line for the making of such calls,
for information derived from the register kept under paragraph (1), OFCOM shall, unless it is not
reasonably practicable so to do, on the payment to them of such fee as is, subject to paragraph (4),
required by them, make the information requested available to that person or that subscriber.
(4) For the purposes of paragraph (3) OFCOM may require different fees
(a) for making available information derived from the register in different forms or manners,
or
(b) for making available information derived from the whole or from different parts of the
register,
but the fees required by them shall be ones in relation to which the Secretary of State has notified
OFCOM that he is satisfied that they are designed to secure, as nearly as may be and taking one
year with another, that the aggregate fees received, or reasonably expected to be received, equal
the costs incurred, or reasonably expected to be incurred, by OFCOM in discharging their duties
under paragraphs (1), (2) and (3).
(5) The functions of OFCOM under paragraphs (1), (2) and (3), other than the function of
determining the fees to be required for the purposes of paragraph (3), may be discharged on their
behalf by some other person in pursuance of arrangements made by OFCOM with that other
person.
12
Modification of contracts
27.To the extent that any term in a contract between a subscriber to and the provider of a public
electronic communications service or such a provider and the provider of an electronic
communications network would be inconsistent with a requirement of these Regulations, that term
shall be void.
National security
28.(1) Nothing in these Regulations shall require a communications provider to do, or refrain
from doing, anything (including the processing of data) if exemption from the requirement in
question is required for the purpose of safeguarding national security.
(2) Subject to paragraph (4), a certificate signed by a Minister of the Crown certifying that
exemption from any requirement of these Regulations is or at any time was required for the
purpose of safeguarding national security shall be conclusive evidence of that fact.
(3) A certificate under paragraph (2) may identify the circumstances in which it applies by
means of a general description and may be expressed to have prospective effect.
(4) Any person directly affected by the issuing of a certificate under paragraph (2) may appeal to
the Tribunal against the issuing of the certificate.
(5) If, on an appeal under paragraph (4), the Tribunal finds that, applying the principles applied
by a court on an application for judicial review, the Minister did not have reasonable grounds for
issuing the certificate, the Tribunal may allow the appeal and quash the certificate.
(6) Where, in any proceedings under or by virtue of these Regulations, it is claimed by a
communications provider that a certificate under paragraph (2) which identifies the circumstances
in which it applies by means of a general description applies in the circumstances in question, any
other party to the proceedings may appeal to the Tribunal on the ground that the certificate does
not apply in those circumstances and, subject to any determination under paragraph (7), the
certificate shall be conclusively presumed so to apply.
(7) On any appeal under paragraph (6), the Tribunal may determine that the certificate does not
so apply.
(8) In this regulation
(a) the Tribunal means the Information Tribunal referred to in section 6 of the Data
Protection Act 1998(a);
(b) Subsections (8), (9), (10) and (12) of section 28 of and Schedule 6 to that Act apply for
the purposes of this regulation as they apply for the purposes of section 28;
(c) section 58 of that Act shall apply for the purposes of this regulation as if the reference in
that section to the functions of the Tribunal under that Act included a reference to the
functions of the Tribunal under paragraphs (4) to (7) of this regulation; and
(d) subsections (1), (2) and (5)(f) of section 67 of that Act shall apply in respect of the
making of rules relating to the functions of the Tribunal under this regulation.
Legal requirements, law enforcement etc.
29.(1) Nothing in these Regulations shall require a communications provider to do, or refrain
from doing, anything (including the processing of data)
(a) if compliance with the requirement in question
(i) would be inconsistent with any requirement imposed by or under an enactment or by
a court order; or
(ii) would be likely to prejudice the prevention or detection of crime or the apprehension
or prosecution of offenders; or
(a) 1998 c. 29.
13
(b) if exemption from the requirement in question
(i) is required for the purposes of, or in connection with, any legal proceedings
(including prospective legal proceedings);
(ii) is necessary for the purposes of obtaining legal advice; or
(iii) is otherwise necessary for the purposes of establishing, exercising or defending legal
rights.
Proceedings for compensation for failure to comply with requirements of the Regulations
30.(1) A person who suffers damage by reason of any contravention of any of the
requirements of these Regulations by any other person shall be entitled to bring proceedings for
compensation from that other person for that damage.
(2) In proceedings brought against a person by virtue of this regulation it shall be a defence to
prove that he had taken such care as in all the circumstances was reasonably required to comply
with the relevant requirement.
(3) The provisions of this regulation are without prejudice to those of regulation 31.
Enforcement extension of Part V of the Data Protection Act 1998
31.(1) The provisions of Part V of the Data Protection Act 1998 and of Schedules 6 and 9 to
that Act are extended for the purposes of these Regulations and, for those purposes, shall have
effect subject to the modifications set out in Schedule 1.
(2) In regulations 32 and 33, enforcement functions means the functions of the Information
Commissioner under the provisions referred to in paragraph (1) as extended by that paragraph.
(3) The provisions of this regulation are without prejudice to those of regulation 30.
Request that the Commissioner exercise his enforcement functions
32.Where it is alleged that there has been a contravention of any of the requirements of these
Regulations either OFCOM or a person aggrieved by the alleged contravention may request the
Commissioner to exercise his enforcement functions in respect of that contravention, but those
functions shall be exercisable by the Commissioner whether or not he has been so requested.
Technical advice to the Commissioner
33.OFCOM shall comply with any reasonable request made by the Commissioner, in connection
with his enforcement functions, for advice on technical and similar matters relating to electronic
communications.
Amendment to the Telecommunications (Lawful Business Practice) (Interception of
Communications) Regulations 2000
34.In regulation 3 of the Telecommunications (Lawful Business Practice) (Interception of
Communications) Regulations 2000(a), for paragraph (3), there shall be substituted
(3) Conduct falling within paragraph (1)(a)(i) above is authorised only to the extent that
Article 5 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July
2002 concerning the processing of personal data and the protection of privacy in the
electronic communications sector so permits..
(a) S.I. 2000/2699.
14
Amendment to the Electronic Communications (Universal Service) Order 2003
35.(1) In paragraphs 2(2) and 3(2) of the Schedule to the Electronic Communications
(Universal Service) Order 2003(a), for the words Telecommunications (Data Protection and
Privacy) Regulations 1999 there shall be substituted Privacy and Electronic Communications
(EC Directive) Regulations 2003.
(2) Paragraph (1) shall have effect notwithstanding the provisions of section 65 of the
Communications Act 2003(b) (which provides for the modification of the Universal Service Order
made under that section).
Transitional provisions
36.The provisions in Schedule 2 shall have effect.
Stephen Timms,
Minister of State for Energy, E-Commerce and Postal Services,
18th September 2003 Department of Trade and Industry
(a) S.I. 2003/1094.
(b) 2003 c. 21; for the commencement of section 65, see article 2(1) of S.I. 2003/1900 (C. 77).
15
SCHEDULE 1 Regulation 31
Modifications for the purposes of these Regulations to Part V of the Data
Protection Act 1998 and Schedules 6 and 9 to that Act as extended by
Regulation 31
1. In section 40
(a) in subsection (1), for the words data controller there shall be substituted the word
person, for the words data protection principles there shall be substituted the words
requirements of the Privacy and Electronic Communications (EC Directive) Regulations
2003 (in this Part referred to as the relevant requirements) and for the words principle
or principles there shall be substituted the words requirement or requirements;
(b) in subsection (2), the words or distress shall be omitted;
(c) subsections (3), (4), (5), (9) and (10) shall be omitted; and
(d) in subsection (6)(a), for the words data protection principle or principles there shall be
substituted the words relevant requirement or requirements.
2. In section 41(1) and (2), for the words data protection principle or principles, in both places
where they occur, there shall be substituted the words relevant requirement or requirements.
3. Section 42 shall be omitted.
4. In section 43
(a) for subsections (1) and (2) there shall be substituted the following provisions
(1) If the Commissioner reasonably requires any information for the purpose of
determining whether a person has complied or is complying with the relevant requirements,
he may serve that person with a notice (in this Act referred to as an information notice)
requiring him, within such time as is specified in the notice, to furnish the Commissioner,
in such form as may be so specified, with such information relating to compliance with the
relevant requirements as is so specified.
(2) An information notice must contain a statement that the Commissioner regards the
specified information as relevant for the purpose of determining whether the person has
complied or is complying with the relevant requirements and his reason for regarding it as
relevant for that purpose.
(b) in subsection (6)(a), after the word under there shall be inserted the words the Privacy
and Electronic Communications (EC Directive) Regulations 2003 or;
(c) in subsection (6)(b), after the words arising out of there shall be inserted the words
the said Regulations or; and
(d) subsection (10) shall be omitted.
5. Sections 44, 45 and 46 shall be omitted.
6. In section 47
(a) in subsection (1), for the words an information notice or special information notice
there shall be substituted the words or an information notice; and
(b) in subsection (2) the words or a special information notice shall be omitted.
7. In section 48
(a) in subsections (1) and (3), for the words an information notice or a special information
notice, in both places where they occur, there shall be substituted the words or an
information notice;
16
(b) in subsection (3) for the words 43(5) or 44(6) there shall be substituted the words or
43(5); and
(c) subsection (4) shall be omitted.
8. In section 49 subsection (5) shall be omitted.
9. In paragraph 4(1) of Schedule (6), for the words (2) or (4) there shall be substituted the
words or (2).
10. In paragraph 1 of Schedule 9
(a) for subparagraph (1)(a) there shall be substituted the following provision
(a) that a person has contravened or is contravening any of the requirements of the
Privacy and Electronic Communications (EC Directive) Regulations 2003 (in this
Schedule referred to as the 2003 Regulations) or;
and
(b) subparagraph (2) shall be omitted.
11. In paragraph 9 of Schedule 9
(a) in subparagraph (1)(a) after the words rights under there shall be inserted the words
the 2003 Regulations or; and
(b) in subparagraph (1)(b) after the words arising out of there shall be inserted the words
the 2003 Regulations or.
17
SCHEDULE 2 Regulation 36
Transitional provisions
Interpretation
1. In this Schedule the 1999 Regulations means the Telecommunications (Data Protection and
Privacy) Regulations 1999 and caller has the same meaning as in regulation 21 of the 1999
Regulations.
Directories
2.(1) Regulation 18 of these Regulations shall not apply in relation to editions of directories
first published before 11th December 2003.
(2) Where the personal data of a subscriber have been included in a directory in accordance with
Part IV of the 1999 Regulations, the personal data of that subscriber may remain included in that
directory provided that the subscriber
(a) has been provided with information in accordance with regulation 18 of these
Regulations; and
(b) has not requested that his data be withdrawn from that directory.
(3) Where a request has been made under subparagraph (2) for data to be withdrawn from a
directory, that request shall be treated as having no application in relation to an edition of a
directory that was produced before the producer of the directory received the request.
(4) For the purposes of subparagraph (3), an edition of a directory, which is revised after it was
first produced, shall be treated as a new edition.
Notifications
3.(1) A notification of consent given to a caller by a subscriber for the purposes of regulation
22(2) of the 1999 Regulations is to have effect on and after 11th December 2003 as a notification
given by that subscriber for the purposes of regulation 19(2) of these Regulations.
(2) A notification given to a caller by a corporate subscriber for the purposes of regulation
23(2)(a) of the 1999 Regulations is to have effect on and after 11th December 2003 as a
notification given by that subscriber for the purposes of regulation 20(1)(b) of these Regulations.
(3) A notification of consent given to a caller by an individual subscriber for the purposes of
regulation 24(2) of the 1999 Regulations is to have effect on and after 11th December 2003 as a
notification given by that subscriber for the purposes of regulation 20(2) of these Regulations.
(4) A notification given to a caller by an individual subscriber for the purposes of regulation
25(2)(a) of the 1999 Regulations is to have effect on and after the 11th December 2003 as a
notification given by that subscriber for the purposes of regulation 21(1) of these Regulations.
Registers kept under regulations 25 and 26
4.(1) A notification given by a subscriber pursuant to regulation 23(4)(a) of the 1999
Regulations to the Director General of Telecommunications (or to such other person as is
discharging his functions under regulation 23(4) of the 1999 Regulations on his behalf by virtue of
an arrangement made under regulation 23(6) of those Regulations) is to have effect on or after
11th December 2003 as a notification given pursuant to regulation 25(1) of these Regulations.
(2) A notification given by a subscriber who is an individual pursuant to regulation 25(4)(a) of
the 1999 Regulations to the Director General of Telecommunications (or to such other person as is
discharging his functions under regulation 25(4) of the 1999 Regulations on his behalf by virtue of
an arrangement made under regulation 25(6) of those Regulations) is to have effect on or after
11th December 2003 as a notification given pursuant to regulation 26(1) of these Regulations.
18
References in these Regulations to OFCOM
5. In relation to times before an order made under section 411(a) of the Communications Act
2003 brings any of the provisions of Part 2 of Chapter 1 of that Act into force for the purpose of
conferring on OFCOM the functions contained in those provisions, references to OFCOM in these
Regulations are to be treated as references to the Director General of Telecommunications.
(a) For the commencement of section 411, see section 411(2) and (3) of the Communications Act 2003 (c. 21).
19
EXPLANATORY NOTE
(This note is not part of the Regulations)
These Regulations implement Articles 2, 4, 5(3), 6 to 13, 15 and 16 of Directive 2002/58/EC of
the European Parliament and of the Council of 12 July 2002 concerning the processing of personal
data and the protection of privacy in the electronic communications sector (Directive on privacy
and electronic communications) (the Directive).
The Directive repeals and replaces Directive 97/66/EC of the European Parliament and of the
Council of 15 December 1997 concerning the processing of personal data and the protection of
privacy in the telecommunications sector which was implemented in the UK by the
Telecommunications (Data Protection and Privacy) Regulations 1999. Those Regulations are
revoked by regulation 3 of these Regulations.
Regulation 2 sets out the definitions which apply for the purposes of the Regulations.
Regulation 4 provides that nothing in these Regulations relieves a person of any of his obligations
under the Data Protection Act 1998.
Regulation 5 imposes a duty on a provider of a public electronic communications service to take
measures, if necessary in conjunction with the provider of the electronic communications network
by means of which the service is provided, to safeguard the security of the service, and requires
the provider of the electronic communications network to comply with the service providers
reasonable requests made for the purposes of taking the measures (public electronic
communications service has the meaning given by section 151 of the Communications Act 2003
and electronic communications network has the meaning given by section 32 of that Act).
Regulation 5 further requires the service provider, where there remains a significant risk to the
security of the service, to provide subscribers to that service with certain information (subscriber
is defined as a person who is a party to a contract with a provider of public electronic
communications services for the supply of such services).
Regulation 6 provides that an electronic communications network may not be used to store or gain
access to information in the terminal equipment of a subscriber or user (user is defined as any
individual using a public electronic communications service) unless the subscriber or user is
provided with certain information and is given the opportunity to refuse the storage of or access to
the information in his terminal equipment.
Regulations 7 and 8 set out certain restrictions on the processing of traffic data relating to a
subscriber or user by a public communications provider. Traffic data is defined as any data
processed for the purpose of the conveyance of a communication on an electronic communications
network or for the billing in respect of that communication. Public communications provider is
defined as a provider of a public electronic communications network or a public electronic
communications service.
Regulation 9 requires providers of public electronic communications services to provide
subscribers with non-itemised bills on request and requires OFCOM to have regard to certain
matters when exercising their functions under Chapter 1 of Part 2 of the Communications Act
2003.
Regulation 10 requires a provider of a public electronic communications service to provide users
of the service with a means of preventing the presentation of calling line identification on a call-
by-call basis, and to provide subscribers to the service with a means of preventing the presentation
of such identification on a per-line basis. This regulation is subject to regulations 15 and 16.
Regulation 11 requires the provider of a public electronic communications service to provide
subscribers to that service with certain facilities where facilities enabling the presentation of
connected line identification or calling line identification are available.
20
Regulation 12 requires a public electronic communications service provider to provide certain
information to the public for the purposes of regulations 10 and 11, and regulation 13 requires
communications providers (the term communications provider has the meaning given by section
405 of the Communications Act 2003) to co-operate with reasonable requests made by providers
of public electronic communications services for the purposes of those regulations.
Regulation 14 imposes certain restrictions on the processing of location data, which is defined as
any data processed in an electronic communications network indicating the geographical position
of the terminal equipment of a user of a public electronic communications service, including data
relating to the latitude, longitude or altitude of the terminal equipment; the direction of travel of
the user; or the time the location information was recorded.
Regulation 15 makes provision in relation to the tracing of malicious or nuisance calls and
regulation 16 makes provision in relation to emergency calls, which are defined in regulation
16(1) as calls to the national emergency number 999 or the European emergency call number 112.
Regulation 17 requires the provider of an electronic communications service to a subscriber to
stop, on request, the automatic forwarding of calls to that subscribers line and also requires other
communications providers to comply with reasonable requests made by the subscribers provider
to assist in the prevention of that forwarding.
Regulation 18 applies to directories of subscribers, and sets out requirements that must be satisfied
where data relating to subscribers is included in such directories. It also gives subscribers the right
to verify, correct or withdraw their data in directories.
Regulation 19 provides that a person may not transmit communications comprising recorded
matter for direct marketing purposes by an automated calling system unless the line called is that
of a subscriber who has notified the caller that he consents to such communications being made.
Regulations 20, 21 and 22 set out the circumstances in which persons may transmit, or instigate
the transmission of, unsolicited communications for the purposes of direct marketing by means of
facsimile machine, make unsolicited calls for those purposes, or transmit unsolicited
communications by means of electronic mail for those purposes. Regulation 22 (electronic mail)
applies only to transmissions to individual subscribers (the term individual means a living
individual and includes an unincorporated body of such individuals).
Regulation 23 prohibits the sending of communications by means of electronic mail for the
purposes of direct marketing where the identity of the person on whose behalf the communication
is made has been disguised or concealed or an address to which requests for such communications
to cease may be sent has not been provided.
Regulation 24 sets out certain information that must be provided for the purposes of regulations
19, 20 and 21.
Regulation 25 imposes a duty on OFCOM, for the purposes of regulation 20, to maintain and keep
up-to-date a register of numbers allocated to subscribers who do not wish to receive unsolicited
communications by means of facsimile machine for the purposes of direct marketing. Regulation
26 imposes a similar obligation for the purposes of regulation 21 in respect of individual
subscribers who do not wish to receive calls for the purposes of direct marketing.
Regulation 27 provides that terms in certain contracts which are inconsistent with these
Regulations shall be void.
Regulation 28 exempts communications providers from the requirements of these Regulations
where exemption is required for the purpose of safeguarding national security and further provides
that a certificate signed by a Minister of the Crown to the effect that exemption from a
requirement is necessary for the purpose of safeguarding national security shall be conclusive
evidence of that fact. It also provides for certain questions relating to such certificates to be
determined by the Information Tribunal referred to in section 6 of the Data Protection Act 1998.
21
Regulation 29 provides that a communications provider shall not be required by these Regulations
to do, or refrain from doing, anything if complying with the requirement in question would be
inconsistent with a requirement imposed by or under an enactment or by a court order, or if
exemption from the requirement is necessary in connection with legal proceedings, for the
purposes of obtaining legal advice or is otherwise necessary to establish, exercise or defend legal
rights.
Regulation 30 allows a claim for damages to be brought in respect of contraventions of the
Regulations.
Regulations 31 and 32 make provision in connection with the enforcement of the Regulations by
the Information Commissioner (who is the Commissioner appointed under section 6 of the Data
Protection Act 1998).
Regulation 33 imposes a duty on OFCOM to comply with any reasonable request made by the
Commissioner for advice on technical matters relating to electronic communications.
Regulation 34 amends the Telecommunications (Lawful Business Practice) (Interception of
Communications) Regulations 2000 and regulation 35 amends the Electronic Communications
(Universal Service) Order 2003.
Regulation 36 provides for the transitional provisions in Schedule 2 to have effect.
A transposition note setting out how the main elements of the Directive are transposed into law
and a regulatory impact assessment have been placed in the libraries of both Houses of Parliament.
Copies are also available from the Department of Trade and Industry, Bay 202, 151 Buckingham
Palace Road, London SW1W 9SS and can also be found on www.dti.gov.uk.

S T A T U T O R Y I N S T R U M E N T S
2003 No. 2426
ELECTRONIC COMMUNICATIONS
The Privacy and Electronic Communications (EC Directive)
Regulations 2003
4.00
Crown copyright 2003
Printed and published in the UK by The Stationery Office Limited
under the authority and superintendence of Carol Tullo, Controller of Her Majestys
Stationery Office and Queens Printer of Acts of Parliament.
E1323 9/2003 131323 19585
ISBN 0-11-047594-1
9 780110 475943